Oracle® Application Server Containers for J2EE Security Guide
10g Release 2 (10.1.2) Part No. B14013-01 |
|
![]() Previous |
![]() Next |
This chapter describes security issues affecting J2EE applications in Oracle Application Server Containers for J2EE (OC4J).
This chapter contains these topics:
The following are components of the OC4J security architecture:
The OracleAS JAAS Provider, which provides support for storage, retrieval, and administration of realm information (users and roles) and policy information (permissions). The OracleAS JAAS Provider supports two possible repositories or provider types:
XML-based Provider Type
LDAP-based Oracle Internet Directory (available only with Oracle Application Server Infrastructure installation)
JAAS login modules, such as the RealmLoginModule
, third-party LoginModule
s, and custom LoginModule
s
See Also:
|
The OracleAS JAAS Provider is designed to work with the J2EE declarative security model. This declarative model requires little or no programming to use JAAS security in your application. Instead, most security decisions are made as part of the deployment process, making it easy to make changes without requiring re-coding. If the declarative model is not sufficient, the OracleAS JAAS Provider also supports programmatic security in the same manner that JAAS is used in any J2SE environment.
If your application relies on the declarative security model (where J2EE security roles are defined in deployment descriptors, such as web.xml
), the developer must determine if the application uses application-specific roles. If so, the developer must define these roles so that they can be mapped to the J2EE logical roles during the deployment phase.
Using the declarative security model, the deployer must make the following security-related decisions:
Determine the J2EE logical roles that are assumed in the application, then define these roles in the deployment descriptors. For example, an HR application may assume that the J2EE logical role hr_manager
is running the application; the deployer must define that role.
Determine the authorization constraints that apply to these roles and define them in the deployment descriptors. For web modules, these constraints typically apply to URL patterns as defined in the J2EE specification. EJB modules typically have constraints at the EJB-method level.
Decide whether to use an XML flat file or Oracle Internet Directory (LDAP) as the repository for the OracleAS JAAS Provider. This also determines which provider, XML-based or LDAP-based, and user manager the application uses.
Map the security roles (including the application-specific roles, if they exist) to users and groups defined by the OC4J user manager (for instance, JAZNUserManager
). For example, the J2EE logical role called hr_manager
may be mapped to a given set of users defined by the OC4J user manager.
For information on making and implementing these decisions, see Chapter 6, "Security Considerations During Application Deployment"; for a full discussion of deployment, see the Oracle Application Server Containers for J2EE User's Guide.
Oracle Application Server Containers for J2EE is a J2EE container that accepts HTTP and RMI client connections. These connections permit access to servlets, Java Server Pages (JSPs), and Enterprise JavaBeans (EJBs).
J2EE containers separate business logic from resource and lifecycle management. This enables developers to focus on writing business logic, rather than writing enterprise infrastructure. For example, Java servlets simplify Web development by providing an infrastructure for component, communication, and session management in a Web container integrated with a Web server.
The OracleAS JAAS Provider is integrated with Oracle Application Server Containers for J2EE and with OracleAS Single Sign-On to enhance application security. This integration provides the following benefits:
run-as
identity support, delegation support (from servlet to Enterprise JavaBeans)
Full support for OracleAS Single Sign-On
Support for custom LoginModule
s
The OracleAS JAAS Provider is supported through JAZNUserManager
, JAZNUserManager
, an implementation of the OC4J UserManager
interface, supports the following features:
Secure storage of obfuscated passwords
Full role-based access control (RBAC), including hierarchical roles
Full support for the Java 2 permission model and JAAS
Secure implementation based on the Java 2 permission model, allowing non-trusted (or partially trusted) code to run in the same JVM as the OracleAS JAAS Provider
OracleAS Single Sign-On integration with Oracle Application Server Containers for J2EE
RealmLoginModule
integration in non-OracleAS Single Sign-On environments
Support for custom JAAS login modules
Identity propagation
The OracleAS JAAS Provider integrates with several different login authentication environments in a J2EE application.
Uses OracleAS Single Sign-On to authenticate logins
Uses Secure Socket Layers for client certificate-based authentication
Uses a login module (for example, RealmLoginModule
) to authenticate logins
Prompts user directly for username and password, without going through OracleAS Single Sign-On
Uses a login module (for example, RealmLoginModule
) to authenticate logins
When the user attempts to access a protected resource, OC4J checks whether the user has already been authenticated. If not, OC4J displays an application-specific login screen, prompting for username and password.
The following sections discuss how the OracleAS JAAS Provider integrates with each of these authentication types.
OracleAS Single Sign-On lets a user access multiple applications with a single set of login credentials. Figure 3-1 shows JAAS integration in an application running in an OracleAS Single Sign-On-enabled J2EE environment.
Figure 3-1 OracleAS Single Sign-On and J2EE Environments
This section describes the responsibilities of Oracle components when an HTTP client request is initiated in an OracleAS Single Sign-On-enabled J2EE environment.
An HTTP client attempts to access a Web application, WebApp A1, hosted by Oracle Application Server Containers for J2EE (the Web container for executing servlets). Oracle HTTP Server (using an Apache listener) handles the request.
mod_osso/Oracle HTTP Server receives the request and:
Determines that WebApp A1 application requires Web-based OracleAS Single Sign-On for authenticating HTTP clients
Redirects the HTTP client request to the Web-based OracleAS Single Sign-On (because it has not yet been authenticated).
The HTTP client is authenticated by OracleAS Single Sign-On through a user name and password or through a user certificate. OracleAS Single Sign-On then:
Validates the user's stored login credentials
Sets the OracleAS Single Sign-On cookie (including the user's distinguished name and realm)
Redirects back to the WebApp A1 application (in Oracle Application Server Containers for J2EE)
The OracleAS JAAS Provider retrieves the OracleAS Single Sign-On user.
Note: For full details on OracleAS Single Sign-On, see the Oracle Application Server Single Sign-On Administrator's Guide. |
SSL is an industry standard protocol for managing the security of message transmission on the Internet. Figure 3-2 shows JAAS integration in an application running in an SSL-enabled J2EE environment.
Figure 3-2 Oracle Component Integration In SSL-Enabled J2EE Environments
Basic authentication bypasses OracleAS Single Sign-On. Figure 3-3 shows specific JAAS integration in an application configured for Basic authentication in a J2EE environment.
Figure 3-3 Oracle Component Integration in j2ee Environment
This section describes the responsibilities of Oracle components when an HTTP client request is initiated in a J2EE environment configured for Basic authentication. In this environment, OracleAS Single Sign-On is not used. A login module (for example, RealmLoginModule
) is used.
An HTTP client attempts to access a Web application (named WebApp A1) hosted by Oracle Application Server Containers for J2EE (the Web container for executing servlets).
OC4J invokes the RealmLoginModule
whenever user credentials are required. For example, when a request hits a protected page, OC4J will ask the OracleAS JAAS Provider to authenticate the user, then the RealmLoginModule
will be invoked to authenticate the user, using the credentials sent by the user via the browser over HTTP.
The OracleAS JAAS Provider retrieves the user.
See Also: Your Sun Java documentation for more information on J2EE by visiting the following URL: |
Authentication is the process of verifying the identity of a user in a computing system, often as a prerequisite to granting access to resources in a system. User authentication in the J2EE environment is performed by the following:
OracleAS Single Sign-On (for OracleAS Single Sign-On environments) or the OracleAS JAAS Provider RealmLoginModule
or other login module (for non-OracleAS Single Sign-On environments)
Before HTTP requests can be dispatched to the target servlet, the JAZNUserManager
gets the authenticated user information (set by mod_osso
) from the HTTP request object and sets the JAAS subject in Oracle Application Server Containers for J2EE.
One of the following:
JAZNUserManager
XMLUserManager
A developer-supplied UserManager
Note: Developer-suppliedUserManager s are deprecated and will be desupported in a future release.
|
You can choose to configure the JAZNUserManager
so that a filter enables the target servlet to run with the permissions and roles associated with an authenticated identity or run-as identity. To do this, configure the jazn-web-app
element.
See Also: "JAZNUserManager" for further information on options and configuration of theJAZNUserManager filter, including the jazn-web-app element.
|
The following javax.servlet.HttpServletRequest
APIs retrieve authentication information within the servlet:
Authorization is the process of granting permissions and privileges to an authenticated user. This section discusses authorization within servlets.
If the servlet is configured to permit doAs()
, the JAZNUserManager
invokes an authenticated target servlet within a Subject.doAs()
block to enable JAAS-based authorization in the target servlets.
Authorization is achieved through the following:
JAZNUserManager
Methods based on JAAS authorization:
Two distinct role types are available to application developers creating secure applications in J2EE environments: J2EE roles and JAAS roles. When these role types are mapped together using Oracle Application Server Containers for J2EE group mappings, users can access an application with a defined set of role permissions for as long as the user is mapped to this role.
This section describes these role types and how they are mapped together.
The J2EE development environment includes a portable security roles feature defined in the web.xml
file for servlets and Java Server Pages (JSPs). Security roles define a set of resource access permissions for an application. Associating a principal (in this case, a JAAS user) with a security role assigns the defined access permissions to that principal for as long as they are mapped to the role. For example, an application defines a security role called sr_developer
:
<security-role> <role-name>sr_developer</role-name> </security-role>
You also define the access permissions for the sr_developer
role.
<security-constraint> <web-resource-collection> <web-resource-name>access to the entire application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- authorization --> <auth-constraint> <role-name>sr_developer</role-name> </auth-constraint> </security-constraint>
JAAS roles and users are defined depending on the provider type, LDAP-based or XML-based.
For example, with the XML-based provider type, developer is listed as a role element in the jazn-data.xml
file:
<role> <name>developer</name> <members> <member> <type>user<type> <name>john<name> </member> </members> </role>
Oracle Application Server Containers for J2EE (OC4J) enables you to map portable J2EE security roles defined in the J2EE web.xml
file to groups in an orion-application.xml
file.
The roles and users defined in your provider environment are mapped to the Oracle Application Server Containers for J2EE developer
group role in the orion-application.xml
file.
For example, the sr_developer
security role is mapped to the group named developer.
<security-role-mapping name="sr_developer"> <group name="developer" /> </security-role-mapping>
Notice that a <group>
in a <security-role-mapping>
element corresponds to a role in the OracleAS JAAS Provider. Therefore, this association permits the developer
group to access the resources allowed for the sr_developer
security role.
In this paradigm, the user john
is listed as a member of the developer
role. Because the developer
group is mapped to the J2EE security role sr_developer
in the orion-application.xml
file, john
has access to the application resources defined by the sr_developer
role.